Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Your Thing is pwnd
Security Challenges for the
Internet of Things
Paul Fremantle
CTO, WSO2 (paul@wso2.com)
PhD researcher,...
Firstly, does it even matter?
“Google
Hacking”
My three rules for IoT security
• 1. Don’t be dumb
• 2. Think about what’s different
• 3. Do be smart
My three rules for IoT security
• 1. Don’t be dumb
– The basics of Internet security haven’t gone away
• 2. Think about wh...
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
http://freo.me/1pbUmofhttp://freo.me/1pbUmof
So what is different about IoT?
• The fact there is a device
– Yes – its hardware!
– Ease of use is almost always at odds ...
Physical Hacks
A Practical Attack on the MIFARE Classic:
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf
Karst...
Or try this at home?
http://freo.me/1g15BiG
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
Hardware recommendations
• Don’t rely on obscurity
Hardware recommendations
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obs...
Hardware Recommendation #2
• Unlocking a single device should risk only
that device’s data
The Network
Ubertooth
http://ubertooth.sourceforge.net/
https://www.usenix.org/conference/woot13/
workshop-program/presentation/ryan
Crypto on small devices
• Practical Considerations and Implementation Experiences in
Securing Smart Object Networks
– http...
ROM requirements
ECC is possible
(and about fast enough)
Crypto
Borrowed from Chris Swan:
http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
Won’t ARM just solve this problem?
Cost matters
8 bits
$5 retail
$1 or less to embed
32 bits
$25 retail
$?? to embed
Another option?
SIMON and SPECK
https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
Datagram Transport Layer Security
(DTLS)
• UDP based equivalent to TLS
• https://tools.ietf.org/html/rfc4347
Key distribution
Passwords
• Passwords suck for humans
• They suck even more for devices
Why Federated Identity for Things?
• Enable a meaningful consent mechanism for sharing of device
data
• Giving a device a ...
MQTT
MQTT and OAuth2
(demo at the WSO2 booth)
What I haven’t covered enough
of
Are you setting up for the
next privacy or security
breach?
Exemplars
• Shields
• Libraries
• Server Frameworks
• Standards and Profiles
Summary
• 1. Don’t be dumb
• 2. Think about the differences
• 3. Be smart
• 4. Create and publish exemplars
WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
Prochain SlideShare
Chargement dans…5
×

Your Thing is pwnd - Security Challenges for the Internet of Things

1 449 vues

Publié le

The growth of Internet connected devices is hard to comprehend. From health monitoring gadgets to Home Automation systems. The real world is getting Internet connected.

Lots of these devices are built on 8-bit microcontrollers. Often they use unencrypted radio comms or networking, and default passwords. Do we care? Maybe they are too simple, too uninteresting to hack?
Visit examples of hacking Things, why we should care and how to fix it.

If you are building a Thing, using an internet connected Thing, or working with data from Things, come along to find out what you should know about securing them.

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Your Thing is pwnd - Security Challenges for the Internet of Things

  1. 1. Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo #wso2 #solidcon @oreillysolid
  2. 2. Firstly, does it even matter?
  3. 3. “Google Hacking”
  4. 4. My three rules for IoT security • 1. Don’t be dumb • 2. Think about what’s different • 3. Do be smart
  5. 5. My three rules for IoT security • 1. Don’t be dumb – The basics of Internet security haven’t gone away • 2. Think about what’s different – What are the unique challenges of your device? • 3. Do be smart – Use the best practice from the Internet
  6. 6. http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
  7. 7. http://freo.me/1pbUmofhttp://freo.me/1pbUmof
  8. 8. So what is different about IoT? • The fact there is a device – Yes – its hardware! – Ease of use is almost always at odds with security • The longevity of the device – Updates are harder (or impossible) • The size of the device – Capabilities are limited – especially around crypto • The data – Often highly personal • The mindset – Appliance manufacturers don’t always think like security experts – Embedded systems are often developed by grabbing existing chips, designs, etc
  9. 9. Physical Hacks A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
  10. 10. Or try this at home? http://freo.me/1g15BiG
  11. 11. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html
  12. 12. Hardware recommendations • Don’t rely on obscurity
  13. 13. Hardware recommendations • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity • Don’t rely on obscurity
  14. 14. Hardware Recommendation #2 • Unlocking a single device should risk only that device’s data
  15. 15. The Network
  16. 16. Ubertooth http://ubertooth.sourceforge.net/ https://www.usenix.org/conference/woot13/ workshop-program/presentation/ryan
  17. 17. Crypto on small devices • Practical Considerations and Implementation Experiences in Securing Smart Object Networks – http://tools.ietf.org/html/draft-aks-crypto-sensors-02
  18. 18. ROM requirements
  19. 19. ECC is possible (and about fast enough)
  20. 20. Crypto Borrowed from Chris Swan: http://www.slideshare.net/cpswan/security-protocols-in-constrained-environments/13
  21. 21. Won’t ARM just solve this problem?
  22. 22. Cost matters 8 bits $5 retail $1 or less to embed 32 bits $25 retail $?? to embed
  23. 23. Another option?
  24. 24. SIMON and SPECK https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
  25. 25. Datagram Transport Layer Security (DTLS) • UDP based equivalent to TLS • https://tools.ietf.org/html/rfc4347
  26. 26. Key distribution
  27. 27. Passwords • Passwords suck for humans • They suck even more for devices
  28. 28. Why Federated Identity for Things? • Enable a meaningful consent mechanism for sharing of device data • Giving a device a token to use on API calls better than giving it a password – Revokable – Granular • May be relevant for both – Device to cloud – Cloud to app • “Identity is the new perimeter”
  29. 29. MQTT
  30. 30. MQTT and OAuth2 (demo at the WSO2 booth)
  31. 31. What I haven’t covered enough of
  32. 32. Are you setting up for the next privacy or security breach?
  33. 33. Exemplars • Shields • Libraries • Server Frameworks • Standards and Profiles
  34. 34. Summary • 1. Don’t be dumb • 2. Think about the differences • 3. Be smart • 4. Create and publish exemplars
  35. 35. WSO2 Reference Architecture for the Internet of Things http://freo.me/iot-ra

×